Potential Privilege Escalation Using Symlink Between Osk and Cmd

About the rule

Rule Type

Standard

Rule Description

This rule detects a known privilege escalation technique where attackers abuse a symbolic link (symlink) between osk.exe (On-Screen Keyboard) and cmd.exe to spawn a command prompt with elevated privileges. Since osk.exe is a trusted, accessibility-related binary that can be launched from the Windows logon screen, replacing it with or redirecting it to cmd.exe via a symlink allows attackers to gain SYSTEM-level access without credentials. This method is typically used post-compromise to escalate privileges on a local machine while bypassing user account control.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Local foothold → Execution → Creation of symlink redirecting osk.exe to cmd.exe → Triggering osk.exe from the Windows logon or accessibility menu → cmd.exe launched with SYSTEM privileges → Privilege escalation

Impact

• Security bypass
• Privilege escalation
• Persistence set up
• Credential theft

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Event Triggered Execution - Accessibility Features (T1546.008), Privilege Escalation: Event Triggered Execution - Accessibility Features (T1546.008)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

PR.PS-01: Configuration management practices are established and applied

ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded

When this rule is triggered, you're notified of an attempt to manipulate trusted system binaries using symbolic links to escalate privileges.

Author

frack113

Future actions

Known False Positives

This technique is almost exclusively associated with malicious or red team activity. Creating a symlink between osk.exe and cmd.exe to gain elevated access is not part of normal administrative or user behavior. Therefore, any detection of this behavior should be treated as highly suspicious and potentially malicious.

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the source of the symlink creation and which user or process initiated it. Identify if the system shows signs of prior compromise, such as suspicious file drops, persistence mechanisms, or exploitation activity.
• Analysis: Inspect file system changes, command-line activity, and event logs around the time of detection. Check if cmd.exe was launched with elevated privileges and whether further malicious commands or scripts were executed.
• Response: Isolate the affected endpoint to prevent further privilege abuse. Delete the symlink and inspect system integrity. Reset credentials for any users with elevated access on the host.
• Monitor accessibility features: Disable unnecessary accessibility features on the logon screen (e.g., osk.exe, narrator.exe) via Group Policy.

Mitigation